rigortype 0.1.1 → 0.1.3

data/lib/rigor/configuration.rb

@@ -2,6 +2,7 @@
 
 require "yaml"
 
+require_relative "configuration/dependencies"
 require_relative "configuration/severity_profile"
 
 module Rigor
@@ -54,10 +55,15 @@ module Rigor
       },
       "plugins_io" => {
         "network" => "disabled",
-        "allowed_paths" => []
+        "allowed_paths" => [],
+        "allowed_url_hosts" => []
       },
       "severity_profile" => "balanced",
-      "severity_overrides" => {}
+      "severity_overrides" => {},
+      "dependencies" => {
+        "source_inference" => [],
+        "budget_per_gem" => Configuration::Dependencies::DEFAULT_BUDGET_PER_GEM
+      }
     }.freeze
 
     # Top-level keys whose values are file/directory paths that
@@ -70,7 +76,9 @@ module Rigor
     attr_reader :target_ruby, :paths, :exclude_patterns, :plugins, :cache_path, :disabled_rules,
                 :libraries, :signature_paths, :fold_platform_specific_paths,
                 :plugins_io_network, :plugins_io_allowed_paths,
-                :severity_profile, :severity_overrides
+                :plugins_io_allowed_url_hosts,
+                :severity_profile, :severity_overrides,
+                :dependencies
 
     # Loads a configuration file.
     #
@@ -172,17 +180,42 @@ module Rigor
 
       merged = left.dup
       right.each do |key, value|
-        merged[key] = if merged.key?(key) && merged[key].is_a?(Hash) && value.is_a?(Hash)
-                        deep_merge(merged[key], value)
-                      else
-                        value
-                      end
+        merged[key] = merge_value(key, merged, value)
       end
       merged
     end
-    private_class_method :load_with_includes, :merge_includes, :resolve_paths_in, :deep_merge
 
-    def initialize(data = DEFAULTS) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    # Most keys are right-wins (override) or recursively
+    # merged hashes. ADR-10 § "config-conflict diagnostic"
+    # carves out `dependencies.source_inference[]`: the
+    # per-gem merge across `includes:` chains needs union
+    # behaviour with mode-conflict detection. The Hash itself
+    # still merges deeply; only the inner array gets
+    # concatenated so {Dependencies.from_h} sees every
+    # contributor's entries and can dedupe them.
+    def self.merge_value(key, merged, value)
+      if key == "dependencies" && merged[key].is_a?(Hash) && value.is_a?(Hash)
+        merge_dependencies_hash(merged[key], value)
+      elsif merged.key?(key) && merged[key].is_a?(Hash) && value.is_a?(Hash)
+        deep_merge(merged[key], value)
+      else
+        value
+      end
+    end
+
+    def self.merge_dependencies_hash(left, right)
+      out = deep_merge(left, right)
+      left_si = Array(left["source_inference"])
+      right_si = Array(right["source_inference"])
+      both_empty = left_si.empty? && right_si.empty?
+      out["source_inference"] = left_si + right_si unless both_empty # rigor:disable flow.always-truthy-condition
+      out
+    end
+    private_class_method :load_with_includes, :merge_includes, :resolve_paths_in, :deep_merge,
+                         :merge_value, :merge_dependencies_hash
+
+    # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
+    def initialize(data = DEFAULTS)
       cache = DEFAULTS.fetch("cache").merge(data.fetch("cache", {}))
       plugins_io = DEFAULTS.fetch("plugins_io").merge(data.fetch("plugins_io", {}))
 
@@ -203,13 +236,18 @@ module Rigor
       @cache_path = cache.fetch("path").to_s
       @plugins_io_network = coerce_network_policy(plugins_io.fetch("network"))
       @plugins_io_allowed_paths = Array(plugins_io.fetch("allowed_paths")).map(&:to_s).freeze
+      @plugins_io_allowed_url_hosts = Array(plugins_io.fetch("allowed_url_hosts")).map(&:to_s).freeze
       @severity_profile = coerce_severity_profile(
         data.fetch("severity_profile", DEFAULTS.fetch("severity_profile"))
       )
       @severity_overrides = coerce_severity_overrides(
         data.fetch("severity_overrides", DEFAULTS.fetch("severity_overrides"))
       )
+      @dependencies = Dependencies.from_h(
+        data.fetch("dependencies", DEFAULTS.fetch("dependencies"))
+      )
     end
+    # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
 
     def to_h
       {
@@ -226,10 +264,12 @@ module Rigor
         },
         "plugins_io" => {
           "network" => plugins_io_network.to_s,
-          "allowed_paths" => plugins_io_allowed_paths
+          "allowed_paths" => plugins_io_allowed_paths,
+          "allowed_url_hosts" => plugins_io_allowed_url_hosts
         },
         "severity_profile" => severity_profile.to_s,
-        "severity_overrides" => severity_overrides.to_h { |k, v| [k, v.to_s] }
+        "severity_overrides" => severity_overrides.to_h { |k, v| [k, v.to_s] },
+        "dependencies" => dependencies.to_h
       }
     end
 
@@ -284,7 +324,7 @@ module Rigor
     # `Configuration` does not require the plugin namespace at
     # load time (Configuration is loaded before Plugin in
     # `lib/rigor.rb`); the two stay in lockstep via spec.
-    VALID_NETWORK_POLICIES = %i[disabled].freeze
+    VALID_NETWORK_POLICIES = %i[disabled allowlist].freeze
     private_constant :VALID_NETWORK_POLICIES
 
     def coerce_network_policy(value)

data/lib/rigor/environment.rb

@@ -41,7 +41,7 @@ module Rigor
       prism rbs
     ].freeze
 
-    attr_reader :class_registry, :rbs_loader, :plugin_registry
+    attr_reader :class_registry, :rbs_loader, :plugin_registry, :dependency_source_index
 
     # @param class_registry [Rigor::Environment::ClassRegistry]
     # @param rbs_loader [Rigor::Environment::RbsLoader, nil] when nil the
@@ -57,10 +57,17 @@ module Rigor
     #   default), no plugin-level return-type contribution
     #   participates — useful for tests, the `Environment.default`
     #   facade, and analyses that don't load plugins.
-    def initialize(class_registry: ClassRegistry.default, rbs_loader: nil, plugin_registry: nil)
+    # @param dependency_source_index [Rigor::Analysis::DependencySourceInference::Index, nil]
+    #   ADR-10 slice 2b-ii. The per-run index of opt-in gem
+    #   sources the dispatcher consults BELOW RBS dispatch.
+    #   When nil (the default), no dep-source contribution
+    #   participates and the dispatcher tier is a no-op.
+    def initialize(class_registry: ClassRegistry.default, rbs_loader: nil,
+                   plugin_registry: nil, dependency_source_index: nil)
       @class_registry = class_registry
       @rbs_loader = rbs_loader
       @plugin_registry = plugin_registry
+      @dependency_source_index = dependency_source_index
       freeze
     end
 
@@ -90,7 +97,8 @@ module Rigor
       #   reflection artefacts) consult the cache. Pass `nil` (the
       #   default) to skip caching for this environment.
       # @return [Rigor::Environment]
-      def for_project(root: Dir.pwd, libraries: [], signature_paths: nil, cache_store: nil, plugin_registry: nil)
+      def for_project(root: Dir.pwd, libraries: [], signature_paths: nil, cache_store: nil, # rubocop:disable Metrics/ParameterLists
+                      plugin_registry: nil, dependency_source_index: nil)
         resolved_paths = signature_paths || default_signature_paths(root)
         merged_libraries = (DEFAULT_LIBRARIES + libraries.map(&:to_s)).uniq
         loader = RbsLoader.new(
@@ -98,7 +106,11 @@ module Rigor
           signature_paths: resolved_paths,
           cache_store: cache_store
         )
-        new(rbs_loader: loader, plugin_registry: plugin_registry)
+        new(
+          rbs_loader: loader,
+          plugin_registry: plugin_registry,
+          dependency_source_index: dependency_source_index
+        )
       end
 
       private

data/lib/rigor/flow_contribution/merger.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
+require_relative "conflict"
+require_relative "fact"
+require_relative "merge_result"
+
 module Rigor
   class FlowContribution
     # Composes any number of {FlowContribution} bundles into a

data/lib/rigor/inference/method_dispatcher/overload_selector.rb

@@ -8,24 +8,40 @@ module Rigor
   module Inference
     module MethodDispatcher
       # Picks the RBS overload that should answer a call given the
-      # caller's actual argument types. Slice 4 phase 2c shape:
+      # caller's actual argument types. Slice 4 phase 2c shape (with
+      # the v0.1.2 interface-strictness preference layered on top):
       #
       # 1. Filter overloads by positional arity (required, optional and
       #    rest_positionals are honored; required_keywords disqualify the
       #    overload because we do not yet thread keyword args through
       #    `call_arg_types`).
-      # 2. Within the arity-matching overloads, accept the first one
-      #    whose every (param, arg) pair returns a `yes` or `maybe`
-      #    answer from `Rigor::Type#accepts(arg, mode: :gradual)`.
-      # 3. If no overload matches, fall back to `method_types.first`
-      #    so existing call sites keep their phase 1 / 2b behavior.
-      #    This preserves the fail-soft invariant of the dispatcher.
+      # 2. **Pass 1 — strict matches first.** Among the arity-matching
+      #    overloads, prefer the first one whose every (param, arg)
+      #    pair returns a `yes` or `maybe` answer AND whose param
+      #    types do NOT translate through `RBS::Types::Alias` /
+      #    `Interface` / `Intersection`. The translator demotes those
+      #    to `Dynamic[Top]`, which gradually accepts any argument —
+      #    so without this preference, an alias-typed overload like
+      #    `Array#[](::int) -> Elem` would beat the strict
+      #    `Array#[](Range) -> Array[Elem]?` overload for a Range
+      #    argument. (Surfaced during v0.1.1 self-analysis; see the
+      #    "Interface-strictness on overload selection" item in
+      #    `docs/MILESTONES.md`.)
+      # 3. **Pass 2 — gradual fall-back.** If no fully strict overload
+      #    matches, accept the first arity-and-gradual-accept match
+      #    (the v0.1.1 behaviour). Alias / Interface / Intersection
+      #    params still reach this pass, so call sites whose only
+      #    candidate IS an alias-typed overload keep working.
+      # 4. If no overload matches at all, fall back to
+      #    `method_types.first` so existing call sites keep their
+      #    phase 1 / 2b behavior. This preserves the fail-soft
+      #    invariant of the dispatcher.
       #
       # The selector is intentionally agnostic about the dispatch kind
       # (instance vs singleton). Both kinds share the same arity and
       # acceptance shape; the difference is only in which `Definition`
       # the caller fetched.
-      module OverloadSelector
+      module OverloadSelector # rubocop:disable Metrics/ModuleLength
         module_function
 
         # @param method_definition [RBS::Definition::Method]
@@ -61,6 +77,18 @@ module Rigor
           # compatibility.
           param_overrides = RbsExtended.param_type_override_map(method_definition)
 
+          # Pass 1: prefer overloads whose param types stay strict —
+          # no translator-induced `Dynamic[Top]` from Alias /
+          # Interface / Intersection. The pass is skipped
+          # entirely when any arg is `Dynamic[Top]` (literally
+          # `untyped`), because gradual acceptance against an
+          # untyped arg accepts every param indiscriminately and
+          # would let pass 1 lock in an arbitrary strict overload
+          # (e.g. `Regexp#=~(nil) -> nil` over the
+          # `(::interned?) -> Integer?` overload). Pass 2 falls
+          # back to the original gradual matcher so overloads
+          # that legitimately rely on duck-typed params still
+          # resolve when nothing stricter applies.
           match = find_matching_overload(
             overloads,
             arg_types: arg_types,
@@ -68,7 +96,17 @@ module Rigor
             instance_type: instance_type,
             type_vars: type_vars,
             block_required: block_required,
-            param_overrides: param_overrides
+            param_overrides: param_overrides,
+            strict: true
+          ) || find_matching_overload(
+            overloads,
+            arg_types: arg_types,
+            self_type: self_type,
+            instance_type: instance_type,
+            type_vars: type_vars,
+            block_required: block_required,
+            param_overrides: param_overrides,
+            strict: false
           )
           return match if match
           return overloads.find { |mt| overload_has_block?(mt) } if block_required
@@ -84,11 +122,14 @@ module Rigor
         class << self
           private
 
-          # rubocop:disable Metrics/ParameterLists
+          # rubocop:disable Metrics/ParameterLists, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
           def find_matching_overload(overloads, arg_types:, self_type:, instance_type:, type_vars:, block_required:,
-                                     param_overrides:)
+                                     param_overrides:, strict:)
+            return nil if strict && arg_types.any? { |t| untyped_arg?(t) }
+
             overloads.find do |method_type|
               next false if block_required && !OverloadSelector.overload_has_block?(method_type)
+              next false if strict && !strictly_typed_params?(method_type, arg_types.size)
 
               matches?(
                 method_type,
@@ -100,7 +141,58 @@ module Rigor
               )
             end
           end
-          # rubocop:enable Metrics/ParameterLists
+          # rubocop:enable Metrics/ParameterLists, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+          # Treats the literal `untyped` carrier (`Dynamic[Top]`)
+          # as too imprecise to drive a strict-pass match. Other
+          # `Dynamic`-wrapped types with a concrete static facet
+          # carry enough information to pick a sensible overload.
+          def untyped_arg?(type)
+            type.is_a?(Type::Dynamic) && type.static_facet.is_a?(Type::Top)
+          end
+
+          # Returns true when every positional param the call
+          # site engages translates to a non-`Dynamic[Top]`
+          # carrier. Alias / Interface / Intersection RBS types
+          # all degrade to `Dynamic[Top]` per the translator's
+          # current shape — those gradually accept any arg, so
+          # an overload that includes one would beat strictly-
+          # typed alternatives in pass 2 of the selector.
+          def strictly_typed_params?(method_type, actual_count)
+            fun = method_type.type
+            return false unless arity_compatible?(fun, actual_count)
+
+            params = positional_params_for(fun, actual_count)
+            params.all? { |param| !alias_or_interface_param?(param.type) }
+          end
+
+          # Recursive: an Optional / Union wrapper is strict iff
+          # every member is strict. Type args of a ClassInstance
+          # are NOT walked — `Range[::int]` is a Range carrier
+          # at the param level; the alias only colours the
+          # element type, which is checked separately when the
+          # element is actually accessed.
+          #
+          # `RBS::Types::Bases::Any` (the explicit `untyped`
+          # keyword) is treated like Alias / Interface /
+          # Intersection — both translate to `Dynamic[Top]`,
+          # both gradually accept anything. A `(untyped) -> T`
+          # catch-all overload that comes after the strictly-
+          # typed ones must lose pass 1 so the typed overloads
+          # win when their param actually fits the arg.
+          def alias_or_interface_param?(rbs_type)
+            case rbs_type
+            when RBS::Types::Alias, RBS::Types::Interface,
+                 RBS::Types::Intersection, RBS::Types::Bases::Any
+              true
+            when RBS::Types::Optional
+              alias_or_interface_param?(rbs_type.type)
+            when RBS::Types::Union
+              rbs_type.types.any? { |t| alias_or_interface_param?(t) }
+            else
+              false
+            end
+          end
 
           # rubocop:disable Metrics/ParameterLists
           def matches?(method_type, arg_types, self_type:, instance_type:, type_vars:, param_overrides:)

data/lib/rigor/inference/method_dispatcher.rb

@@ -86,6 +86,18 @@ module Rigor
         )
         return rbs_result if rbs_result
 
+        # ADR-10 slice 2b-ii — dependency-source inference tier.
+        # Sits BELOW RBS dispatch (RBS / RBS::Inline / generated
+        # stubs / plugin contracts always win) and ABOVE the
+        # user-class fallback so a method defined in an opt-in
+        # gem stops emitting `call.undefined-method` even when
+        # no signature contract resolves. Returns
+        # `Dynamic[top]` — slice 2b-ii deliberately stops at the
+        # dynamic-origin envelope; per-method return-type
+        # precision is queued for a later slice.
+        dep_source_result = try_dependency_source(receiver_type, method_name, environment)
+        return dep_source_result if dep_source_result
+
         # Slice 7 phase 10 — user-class ancestor fallback. When
         # the receiver is `Nominal[T]` or `Singleton[T]` for a
         # class not in the RBS environment (typically a
@@ -125,6 +137,81 @@ module Rigor
         FlowContribution::Merger.merge(contributions).return_type
       end
 
+      # ADR-10 slice 2b-ii. Consults the per-run
+      # `Analysis::DependencySourceInference::Index` carried by
+      # the environment for `(class_name, method_name)`
+      # observations harvested from opt-in gems' `roots:`. On a
+      # hit, returns `Combinator.untyped` so the call site
+      # carries the `Dynamic[top]` provenance (per ADR-10's
+      # "Inference contract": gem-source-inferred shapes never
+      # publish as ground-truth `T`). Returns `nil` when the
+      # environment carries no index, the index has no entry, or
+      # the receiver has no nominal class to look up.
+      def try_dependency_source(receiver_type, method_name, environment)
+        index = environment&.dependency_source_index
+        return nil if index.nil? || index.empty?
+
+        class_name = dep_source_class_name(receiver_type)
+        return nil if class_name.nil?
+
+        # ADR-10 5a — per-receiver plugin veto. When a
+        # registered plugin declares `manifest(owns_receivers:
+        # [<class>])` AND the call's receiver IS that class
+        # (or a subclass), decline and let plugins handle the
+        # call. Plugins that own a receiver are the
+        # authoritative source for that type; gem-source
+        # inference must not contribute behind their backs.
+        return nil if plugin_owns_receiver?(class_name, environment)
+
+        contribution_kind = index.contribution_for(class_name: class_name, method_name: method_name)
+        return Type::Combinator.untyped if contribution_kind
+
+        # ADR-10 5b — β budget semantics. On a catalog miss,
+        # if the receiver class belongs to a budget-exceeded
+        # gem AND the user opted into `:dependency_silence`,
+        # return `Dynamic[top]` rather than falling through to
+        # the user-class fallback. The user-class fallback
+        # would otherwise emit `call.undefined-method` for
+        # methods Rigor's catalog couldn't reach because the
+        # walker hit its cap.
+        budget_silence_result(class_name, index, environment)
+      end
+
+      def budget_silence_result(class_name, index, _environment)
+        return nil unless index.budget_overrun_strategy == :dependency_silence
+
+        owning_gem = index.gem_for(class_name)
+        return nil if owning_gem.nil?
+        return nil unless index.budget_exceeded.include?(owning_gem)
+
+        Type::Combinator.untyped
+      end
+
+      def plugin_owns_receiver?(class_name, environment)
+        registry = environment&.plugin_registry
+        return false if registry.nil? || registry.empty?
+
+        registry.plugins.any? do |plugin|
+          owns = plugin.manifest.owns_receivers # rigor:disable undefined-method
+          owns.any? { |owner| receiver_matches_owner?(class_name, owner, environment) }
+        end
+      end
+
+      def receiver_matches_owner?(class_name, owner, environment)
+        return true if class_name == owner
+
+        ordering = environment.class_ordering(class_name, owner)
+        %i[equal subclass].include?(ordering)
+      rescue StandardError
+        false
+      end
+
+      def dep_source_class_name(receiver_type)
+        case receiver_type
+        when Type::Nominal, Type::Singleton then receiver_type.class_name
+        end
+      end
+
       def collect_plugin_contributions(registry, call_node, scope)
         registry.plugins.filter_map do |plugin|
           contribution = plugin.flow_contribution_for(call_node: call_node, scope: scope)

data/lib/rigor/inference/scope_indexer.rb

@@ -106,6 +106,14 @@ module Rigor
         discovered_def_nodes = build_discovered_def_nodes(root)
         seeded_scope = seeded_scope.with_discovered_def_nodes(discovered_def_nodes)
 
+        # v0.1.2 — per-class table of method visibilities
+        # (`:public` / `:private` / `:protected`). The
+        # `def.method-visibility-mismatch` CheckRule consults
+        # the table to flag explicit-non-self calls to a
+        # private user method.
+        discovered_method_visibilities = build_discovered_method_visibilities(root)
+        seeded_scope = seeded_scope.with_discovered_method_visibilities(discovered_method_visibilities)
+
         table = {}.compare_by_identity
         table.default = seeded_scope
 
@@ -340,7 +348,8 @@ module Rigor
         accumulator.transform_values(&:freeze).freeze
       end
 
-      def walk_methods(node, qualified_prefix, in_singleton_class, accumulator) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity, Metrics/AbcSize
+      def walk_methods(node, qualified_prefix, in_singleton_class, accumulator)
         return unless node.is_a?(Prism::Node)
 
         case node
@@ -356,6 +365,12 @@ module Rigor
             walk_methods(node.body, qualified_prefix, true, accumulator)
             return
           end
+        when Prism::ConstantWriteNode
+          if meta_new_block_body(node)
+            child_prefix = qualified_prefix + [node.name.to_s]
+            walk_methods(meta_new_block_body(node), child_prefix, false, accumulator)
+            return
+          end
         when Prism::DefNode
           record_def_method(node, qualified_prefix, in_singleton_class, accumulator)
           return
@@ -370,6 +385,24 @@ module Rigor
           walk_methods(child, qualified_prefix, in_singleton_class, accumulator)
         end
       end
+      # rubocop:enable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity, Metrics/AbcSize
+
+      # v0.1.2 — when a `Const = Data.define(*sym) do ... end`
+      # / `Const = Struct.new(*sym) do ... end` constant write
+      # carries a block, the block body holds method overrides
+      # whose canonical class is `Const`. Returns the block body
+      # node (a `Prism::StatementsNode`) when the rvalue
+      # matches; nil otherwise. Used by `walk_methods` /
+      # `walk_def_nodes` to push `Const` onto the qualified
+      # prefix before recursing.
+      def meta_new_block_body(node)
+        return nil unless node.is_a?(Prism::ConstantWriteNode)
+
+        rvalue = node.value
+        return nil unless data_define_call?(rvalue) || struct_new_call?(rvalue)
+
+        rvalue.block&.body
+      end
 
       def record_def_method(def_node, qualified_prefix, in_singleton_class, accumulator)
         return if qualified_prefix.empty?
@@ -397,7 +430,8 @@ module Rigor
         accumulator.transform_values(&:freeze).freeze
       end
 
-      def walk_def_nodes(node, qualified_prefix, in_singleton_class, accumulator) # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      def walk_def_nodes(node, qualified_prefix, in_singleton_class, accumulator)
         return unless node.is_a?(Prism::Node)
 
         case node
@@ -413,6 +447,12 @@ module Rigor
             walk_def_nodes(node.body, qualified_prefix, true, accumulator)
             return
           end
+        when Prism::ConstantWriteNode
+          if meta_new_block_body(node)
+            child_prefix = qualified_prefix + [node.name.to_s]
+            walk_def_nodes(meta_new_block_body(node), child_prefix, false, accumulator)
+            return
+          end
         when Prism::DefNode
           record_def_node(node, qualified_prefix, in_singleton_class, accumulator)
           return
@@ -422,6 +462,7 @@ module Rigor
           walk_def_nodes(child, qualified_prefix, in_singleton_class, accumulator)
         end
       end
+      # rubocop:enable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
 
       # v0.0.3 A — sentinel key under which `record_def_node`
       # files DefNodes that live outside any class / module
@@ -440,6 +481,134 @@ module Rigor
         accumulator[class_name][def_node.name] = def_node
       end
 
+      VISIBILITY_MODIFIERS = %i[public private protected].freeze
+
+      # v0.1.2 — per-class method-visibility table for the
+      # `def.method-visibility-mismatch` CheckRule.
+      #
+      # Tracks two visibility-changing forms:
+      #
+      # - **Modifier blocks**: a bare `private` / `protected` /
+      #   `public` call inside a class body switches the
+      #   "current default" visibility for every subsequent
+      #   `def` until another modifier flips it again.
+      # - **Named-argument form**: `private :foo, :bar` (or
+      #   the same with `protected` / `public`) marks specific
+      #   names already-recorded under the class. Symbol-only
+      #   args are recognised; `private def foo; end` (the
+      #   wrap-around form) is not yet — it would need
+      #   tracking the def-call's return-value visibility,
+      #   which is a separate slice.
+      #
+      # Top-level (no surrounding class) defs do not contribute
+      # — Ruby's top-level visibility nuances (private at
+      # top-level marks the method on `Object`) are out of
+      # scope for v0.1.2.
+      def build_discovered_method_visibilities(root)
+        accumulator = {}
+        walk_method_visibilities(root, [], false, :public, accumulator)
+        accumulator.transform_values(&:freeze).freeze
+      end
+
+      # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity, Metrics/AbcSize
+      def walk_method_visibilities(node, qualified_prefix, in_singleton_class, current_visibility, accumulator)
+        return current_visibility unless node.is_a?(Prism::Node)
+
+        case node
+        when Prism::ClassNode, Prism::ModuleNode
+          name = qualified_name_for(node.constant_path)
+          if name
+            child_prefix = qualified_prefix + [name]
+            walk_method_visibilities(node.body, child_prefix, false, :public, accumulator) if node.body
+            return current_visibility
+          end
+        when Prism::SingletonClassNode
+          if node.expression.is_a?(Prism::SelfNode) && node.body
+            walk_method_visibilities(node.body, qualified_prefix, true, :public, accumulator)
+            return current_visibility
+          end
+        when Prism::ConstantWriteNode
+          if meta_new_block_body(node)
+            child_prefix = qualified_prefix + [node.name.to_s]
+            walk_method_visibilities(meta_new_block_body(node), child_prefix, false, :public, accumulator)
+            return current_visibility
+          end
+        when Prism::DefNode
+          record_def_visibility(node, qualified_prefix, in_singleton_class, current_visibility, accumulator)
+          return current_visibility
+        when Prism::CallNode
+          updated = apply_visibility_call(node, qualified_prefix, current_visibility, accumulator)
+          return updated unless updated.equal?(current_visibility)
+        end
+
+        # Statement-position StatementsNode preserves
+        # left-to-right visibility flow; everything else
+        # recurses with the entry visibility unchanged.
+        if node.is_a?(Prism::StatementsNode)
+          local_visibility = current_visibility
+          node.compact_child_nodes.each do |child|
+            local_visibility = walk_method_visibilities(child, qualified_prefix, in_singleton_class,
+                                                        local_visibility, accumulator)
+          end
+        else
+          node.compact_child_nodes.each do |child|
+            walk_method_visibilities(child, qualified_prefix, in_singleton_class, current_visibility, accumulator)
+          end
+        end
+        current_visibility
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity, Metrics/AbcSize
+
+      def record_def_visibility(def_node, qualified_prefix, in_singleton_class, current_visibility, accumulator)
+        return if def_node.receiver.is_a?(Prism::SelfNode) || in_singleton_class
+        return if qualified_prefix.empty?
+
+        class_name = qualified_prefix.join("::")
+        accumulator[class_name] ||= {}
+        accumulator[class_name][def_node.name] = current_visibility
+      end
+
+      # Recognises modifier calls on the implicit-self receiver
+      # inside a class body. Returns the (possibly updated)
+      # current visibility:
+      #
+      # - `private` / `public` / `protected` (no args) —
+      #   switch the running default for subsequent defs.
+      # - `private :foo, :bar` — back-patch the named methods
+      #   in the accumulator. Returns `current_visibility`
+      #   unchanged because the running default does NOT
+      #   change for this form.
+      def apply_visibility_call(call_node, qualified_prefix, current_visibility, accumulator)
+        return current_visibility unless call_node.receiver.nil?
+        return current_visibility unless VISIBILITY_MODIFIERS.include?(call_node.name)
+        return current_visibility if qualified_prefix.empty?
+
+        args = call_node.arguments&.arguments || []
+        if args.empty?
+          call_node.name
+        else
+          apply_named_visibility(args, qualified_prefix, call_node.name, accumulator)
+          current_visibility
+        end
+      end
+
+      def apply_named_visibility(args, qualified_prefix, visibility, accumulator)
+        class_name = qualified_prefix.join("::")
+        args.each do |arg|
+          name = visibility_target_name(arg)
+          next if name.nil?
+
+          accumulator[class_name] ||= {}
+          accumulator[class_name][name] = visibility
+        end
+      end
+
+      def visibility_target_name(arg)
+        return arg.unescaped.to_sym if arg.is_a?(Prism::SymbolNode) || arg.is_a?(Prism::StringNode)
+
+        nil
+      end
+
       # Registers the alias name in the `discovered_methods` table so
       # `undefined-method` diagnostics are not emitted for calls to the
       # aliased name. The kind mirrors the surrounding class context